Permission denied for action find on class

Hello folks!

Not sure if I should classify this as a Parse Server question or Dashboard question. I am trying out the latest Parse Server (master branch, 4.2.0 at the moment of writing) and the latest dashboard (version 2.1.0). I created a small class and set up the CLP as follows:

Whenever I try to do a simple find query, I get the following error

ParseError: Permission denied for action find on class FooClass.

Why am I getting such error? Shouldn’t I get an array of objects or an empty array if the user does not have the permission to read any rows?

Best regards,

  • Musa

It seems that you disabled read for authenticated users and public. So here your query must be executed with master key in cloud code with useMasterKey: true option, to allow front queries, you should enable authenticated at least, then you can run the query with a session token :slight_smile:

See: https://github.com/parse-community/Parse-SDK-JS/issues/413
For useMasterkey example

But then how do I set up the CLPs so that the query only returns me the rows that belong to the user? If I enable read to authenticated users, it seems it returns me all the rows regardless of the user associated with them.

@Moumouls here is the issue I am trying to describe. We are currently using Parse 3.6.0 and dashboard 2.0.4 and I am working towards updating these to the latest versions. In this environment, if I set the user’s column in the CLP and I do the query, it only returns me the rows associated to the user by the “user” column. If there are no rows associated to the user, it returns an emtpy list.

This behavior seems to have changed in the new version of PS + Dashboard. In these versions, I get the behavior I just described on my first post of this thread. Therefore some change broke backwards compatibility.

I recently opened an issue in github and we discussed a very related topic here. https://github.com/parse-community/parse-server/issues/6708

I don’t mind the new changes, but I would like to know how can I accomplish the same behavior that I was used to in Parse + Dashboard that I currently use (3.6 and 2.0.4 respectively) on the newer versions of Parse + Dashboard (4.2.0 and 2.1.0 respetively).

Can you please post your class schema?

@BufferUnderflower sure

{
  className: 'FooClass',
  fields: {
    objectId: { type: 'String' },
    createdAt: { type: 'Date' },
    updatedAt: { type: 'Date' },
    ACL: { type: 'ACL' },
    name: { type: 'String', required: false },
    user: { type: 'Pointer', targetClass: '_User', required: false },
    users: { type: 'Array' }
  },
  classLevelPermissions: {
    find: { users: true, user: true },
    count: { users: true, user: true },
    get: { users: true, user: true },
    create: { users: true, user: true },
    update: { users: true, user: true },
    delete: { users: true, user: true },
    addField: { users: true, user: true },
    protectedFields: {}
  },
  indexes: { _id_: { _id: 1 } }
}

Adding to my previous comment, with Parse 3.6.0 and dashboard 2.0.4, the table is created this way

{
  className: 'FooOld',
  fields: {
    objectId: { type: 'String' },
    createdAt: { type: 'Date' },
    updatedAt: { type: 'Date' },
    ACL: { type: 'ACL' },
    name: { type: 'String' },
    user: { type: 'Pointer', targetClass: '_User' }
  },
  classLevelPermissions: {
    find: {},
    count: {},
    get: {},
    create: {},
    update: {},
    delete: {},
    addField: {},
    protectedFields: {},
    readUserFields: [ 'user' ],
    writeUserFields: [ 'user' ]
  },
  indexes: { _id_: { _id: 1 } }
}

Note that I cannot add the array column in the CLP because this is new behavior (post 4.0.0), which is why I did not created the users column in this schema. So I guess this all happens because the new dashboard does not add readUserFields/writeUserFields. This is just a guess, I haven’t fully familiarized with the code.

This seems to be a bug in parse-dashboard. I’ll work on a fix.
Meanwhile, try to apply CLP via api this way:

replace

find: { users: true, user: true },

with

find: { pointerFields: ["users", "user"] }

Sounds good! Thanks a lot for the info!